Merge branch 'feature-autogen-instrumentation' into patch-openai-span-id-bug

Author: mergify[bot]

.github/.trivyignore

@@ -0,0 +1,9 @@
+# =======================
+# Ignored Vulnerabilities
+# =======================
+
+# Accepting risk due to Python 3.7 and 3.8 support.
+CVE-2025-50181
+
+# Not relevant, only affects Pyodide
+CVE-2025-50182

.github/pull_request_template.md

@@ -9,7 +9,7 @@ Include a link to the related GitHub issue, if applicable
 # Testing
 The agent includes a suite of tests which should be used to
 verify your changes don't break existing functionality. These tests will run with
-Github Actions when a pull request is made. More details on running the tests locally can be found
-[here](https://github.com/newrelic/newrelic-python-agent/blob/main/CONTRIBUTING.md#testing-guidelines),
+Github Actions when a pull request is made. More details on running the tests locally can be found in our
+[testing guidelines](https://github.com/newrelic/newrelic-python-agent/blob/main/CONTRIBUTING.md#testing-guidelines),
 For most contributions it is strongly recommended to add additional tests which
 exercise your changes.

.github/scripts/install_azure_functions_worker.sh

@@ -33,14 +33,15 @@ INVOKE="${BUILD_DIR}/.venv/bin/invoke"
 ${PIP} install pip-tools build invoke
 
 # Install proto build dependencies
-$(cd ${BUILD_DIR} && ${PIPCOMPILE} >${BUILD_DIR}/requirements.txt)
+$( cd ${BUILD_DIR}/workers/ && ${PIPCOMPILE} -o ${BUILD_DIR}/requirements.txt )
 ${PIP} install -r ${BUILD_DIR}/requirements.txt
 
-# Build proto files into pb2 files
-cd ${BUILD_DIR}/tests && ${INVOKE} -c test_setup build-protos
+# Build proto files into pb2 files (invoke handles fixing include paths for the protos)
+cd ${BUILD_DIR}/workers/tests && ${INVOKE} -c test_setup build-protos
 
 # Build and install the package into the original environment (not the build venv)
-pip install ${BUILD_DIR}
+# Do NOT use ${PIP} from the venv
+pip install ${BUILD_DIR}/workers/
 
 # Clean up and return to the original directory
 rm -rf ${BUILD_DIR}

.github/workflows/addlicense.yml

@@ -22,6 +22,9 @@ on:
       - "**"
   pull_request:
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.ref || github.run_id }}-${{ github.workflow }}
   cancel-in-progress: true

.github/workflows/build-ci-image.yml

@@ -17,6 +17,9 @@ name: Build CI Image
 on:
   workflow_dispatch: # Allow manual trigger
 
+permissions:
+  contents: read
+
 concurrency:
   group: ${{ github.ref || github.run_id }}
   cancel-in-progress: true
@@ -25,6 +28,10 @@ jobs:
   build:
     runs-on: ubuntu-24.04
 
+    permissions:
+      contents: read
+      packages: write
+
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
         with:
@@ -33,11 +40,11 @@ jobs:
 
       - name: Set up Docker Buildx
         id: buildx
-        uses: docker/setup-buildx-action@18ce135bb5112fa8ce4ed6c17ab05699d7f3a5e0 # 3.11.0
+        uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # 3.11.1
 
       - name: Generate Docker Metadata (Tags and Labels)
         id: meta
-        uses: docker/metadata-action@902fa8ec7d6ecbf8d84d538b9b233a880e428804 # 5.7.0
+        uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # 5.8.0
         with:
           images: ghcr.io/${{ github.repository }}-ci
           flavor: |
@@ -52,7 +59,7 @@ jobs:
 
       - name: Login to GitHub Container Registry
         if: github.event_name != 'pull_request'
-        uses: docker/login-action@74a5d142397b4f367a81961eba4e8cd7edddf772 # 3.4.0
+        uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # 3.5.0
         with:
           registry: ghcr.io
           username: ${{ github.repository_owner }}

.github/workflows/deploy-python.yml renamed to .github/workflows/deploy.yml

@@ -19,6 +19,9 @@ on:
     types:
       - published
 
+permissions:
+  contents: read
+
 jobs:
   build-linux-py3-legacy:
     runs-on: ubuntu-24.04
@@ -110,18 +113,22 @@ jobs:
           persist-credentials: false
           fetch-depth: 0
 
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
+        with:
+          python-version: "3.12"
+
       - name: Install Dependencies
         run: |
           pip install -U pip
-          pip install -U setuptools packaging
+          pip install -U build
 
       - name: Build Source Package
         run: |
-          python setup.py sdist
+          python -m build --sdist
 
       - name: Prepare MD5 Hash File
         run: |
-          tarball="$(python setup.py --fullname).tar.gz"
+          tarball="$(basename ./dist/*.tar.gz)"
           md5_file="${tarball}.md5"
           openssl md5 -binary "dist/${tarball}" | xxd -p | tr -d '\n' > "dist/${md5_file}"
 
@@ -135,58 +142,46 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
-  deploy:
+  publish:
     runs-on: ubuntu-24.04
+    environment: pypi
+    permissions:
+      contents: read
+      id-token: write # IMPORTANT: this permission is mandatory for trusted publishing
+      attestations: write
 
     needs:
       - build-linux-py3-legacy
       - build-linux-py3
       - build-sdist
 
     steps:
-      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
-        with:
-          persist-credentials: false
-          fetch-depth: 0
-
-      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # 5.6.0
-        with:
-          python-version: "3.x"
-          architecture: x64
-
-      - name: Install Dependencies
-        run: |
-          pip install -U pip
-          pip install -U wheel setuptools packaging twine
-
-      - name: Download Artifacts
-        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # 4.3.0@95815c38cf2ff2164869cbab79da8d1f422bc89e # 4.3.0
+      - uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # 4.3.0
         with:
-          path: ./artifacts/
-
-      - name: Unpack Artifacts
-        run: |
-          mkdir -p dist/
-          mv artifacts/**/*{.whl,.tar.gz,.tar.gz.md5} dist/
+          path: ./dist/
+          merge-multiple: true
 
       - name: Upload Package to S3
         run: |
-          tarball="$(python setup.py --fullname).tar.gz"
+          tarball="$(basename ./dist/*.tar.gz)"
           md5_file="${tarball}.md5"
           aws s3 cp "dist/${md5_file}" "${S3_DST}/${md5_file}"
           aws s3 cp "dist/${tarball}" "${S3_DST}/${tarball}"
+          rm "dist/${md5_file}"
         env:
           S3_DST: s3://nr-downloads-main/python_agent/release
           AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
           AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
           AWS_DEFAULT_REGION: us-west-2
 
-      - name: Upload Package to PyPI
-        run: |
-          twine upload --non-interactive dist/*.tar.gz dist/*.whl
-        env:
-          TWINE_USERNAME: __token__
-          TWINE_PASSWORD: ${{ secrets.PYPI_TOKEN }}
+      - name: Upload Package
+        uses: pypa/gh-action-pypi-publish@76f52bc884231f62b9a034ebfe128415bbaabdfc # 1.12.4
+
+      - name: Attest
+        uses: actions/attest-build-provenance@e8998f949152b193b063cb0ec769d69d929409be # 2.4.0
+        id: attest
+        with:
+          subject-path: ./dist/*
 
       - name: Wait for release to be available
         id: wait

.github/workflows/mega-linter.yml

@@ -22,6 +22,9 @@ on:
   # push: # Comment this line to trigger action only on pull-requests (not recommended if you don't pay for GH Actions)
   pull_request:
 
+permissions:
+  contents: read
+
 env: # Comment env block if you don't want to apply fixes
   # Apply linter fixes configuration
   APPLY_FIXES: all # When active, APPLY_FIXES must also be defined as environment variable (in github/workflows/mega-linter.yml or other CI tool)
@@ -42,7 +45,6 @@ jobs:
       contents: write
       issues: write
       pull-requests: write
-      statuses: write
     steps:
       # Git Checkout
       - name: Checkout Code
@@ -62,7 +64,6 @@ jobs:
           VALIDATE_ALL_CODEBASE: "true"
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
           # ADD YOUR CUSTOM ENV VARIABLES HERE OR DEFINE THEM IN A FILE .mega-linter.yml AT THE ROOT OF YOUR REPOSITORY
-          GITHUB_STATUS_REPORTER: "true"
           GITHUB_COMMENT_REPORTER: "true"
           PYTHON_RUFF_ARGUMENTS: --config pyproject.toml --config 'output-format="github"'
           PYTHON_RUFF_FORMAT_ARGUMENTS: --config pyproject.toml --config 'output-format="github"'

.github/workflows/tests.yml

@@ -44,6 +44,7 @@ jobs:
       - firestore
       - grpc
       - kafka
+      - oracledb
       - memcached
       - mongodb3
       - mongodb8
@@ -800,6 +801,73 @@ jobs:
           if-no-files-found: error
           retention-days: 1
 
+  oracledb:
+    env:
+      TOTAL_GROUPS: 1
+
+    strategy:
+      fail-fast: false
+      matrix:
+        group-number: [1]
+
+    runs-on: ubuntu-24.04
+    container:
+      image: ghcr.io/newrelic/newrelic-python-agent-ci:latest
+      options: >-
+        --add-host=host.docker.internal:host-gateway
+    timeout-minutes: 30
+    services:
+      oracledb:
+        image: container-registry.oracle.com/database/free:latest-lite
+        ports:
+          - 8080:1521
+          - 8081:1521
+        env:
+          ORACLE_CHARACTERSET: utf8
+          ORACLE_PWD: oracle
+        # Set health checks to wait until container has started
+        options: >-
+          --health-cmd "timeout 5 bash -c 'cat < /dev/null > /dev/udp/127.0.0.1/11211'"
+          --health-interval 10s
+          --health-timeout 5s
+          --health-retries 5
+
+    steps:
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # 4.2.2
+
+      - name: Fetch git tags
+        run: |
+          git config --global --add safe.directory "$GITHUB_WORKSPACE"
+          git fetch --tags origin
+
+      - name: Configure pip cache
+        run: |
+          mkdir -p /github/home/.cache/pip
+          chown -R "$(whoami)" /github/home/.cache/pip
+
+      - name: Get Environments
+        id: get-envs
+        run: |
+          echo "envs=$(tox -l | grep '^${{ github.job }}\-' | ./.github/workflows/get-envs.py)" >> "$GITHUB_OUTPUT"
+        env:
+          GROUP_NUMBER: ${{ matrix.group-number }}
+
+      - name: Test
+        run: |
+          tox -vv -e ${{ steps.get-envs.outputs.envs }} -p auto
+        env:
+          TOX_PARALLEL_NO_SPINNER: 1
+          PY_COLORS: 0
+
+      - name: Upload Coverage Artifacts
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # 4.6.2
+        with:
+          name: coverage-${{ github.job }}-${{ strategy.job-index }}
+          path: ./**/.coverage.*
+          include-hidden-files: true
+          if-no-files-found: error
+          retention-days: 1
+
   memcached:
     env:
       TOTAL_GROUPS: 2

.github/workflows/trivy.yml

@@ -21,6 +21,9 @@ concurrency:
   group: ${{ github.ref || github.run_id }}-${{ github.workflow }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+
 jobs:
   # Upload Trivy data
   trivy:
@@ -36,26 +39,28 @@ jobs:
 
       - name: Run Trivy vulnerability scanner in repo mode
         if: ${{ github.event_name == 'pull_request' }}
-        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.31.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
         with:
           scan-type: "fs"
           ignore-unfixed: true
           format: table
           exit-code: 1
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          trivyignores: ".github/.trivyignore"
 
       - name: Run Trivy vulnerability scanner in repo mode
         if: ${{ github.event_name == 'schedule' }}
-        uses: aquasecurity/trivy-action@76071ef0d7ec797419534a183b498b4d6366cf37 # v0.31.0
+        uses: aquasecurity/trivy-action@dc5a429b52fcf669ce959baa2c2dd26090d2a6c4 # v0.32.0
         with:
           scan-type: "fs"
           ignore-unfixed: true
           format: "sarif"
           output: "trivy-results.sarif"
           severity: "CRITICAL,HIGH,MEDIUM,LOW"
+          trivyignores: ".github/.trivyignore"
 
       - name: Upload Trivy scan results to GitHub Security tab
         if: ${{ github.event_name == 'schedule' }}
-        uses: github/codeql-action/upload-sarif@ce28f5bb42b7a9f2c824e633a3f6ee835bab6858 # 3.29.0
+        uses: github/codeql-action/upload-sarif@51f77329afa6477de8c49fc9c7046c15b9a4e79d # 3.29.5
         with:
           sarif_file: "trivy-results.sarif"

.pre-commit-config.yaml

@@ -29,7 +29,7 @@ default_install_hook_types:
 repos:
   - repo: https://github.com/astral-sh/ruff-pre-commit
     # Ruff version.
-    rev: v0.11.5
+    rev: v0.12.4
     hooks:
       # Run the linter.
       - id: ruff